[Feat.] CCE: deletion protection for cce clusters (#3318)

[Feat.] CCE: deletion protection for cce clusters

Summary of the Pull Request

Add enable_deletion_protection parameter to opentelekomcloud_cce_cluster_v3 resource
Add enable_deletion_protection attribute to CCE cluster data sources


PR Checklist

 Refers to: #3300
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Acceptance Steps Performed
Resource test is skipped by default: the test framework always destroys resources after execution, which is expected to fail when deletion protection is enabled. The cluster must be deleted manually after running the test.
=== RUN   TestAccCCEClusterV3DataSource_basic
=== PAUSE TestAccCCEClusterV3DataSource_basic
=== CONT  TestAccCCEClusterV3DataSource_basic
--- PASS: TestAccCCEClusterV3DataSource_basic (446.07s)
PASS

Process finished with the exit code 0

Reviewed-by: Muneeb H. Jan <muneebhafeezjan@gmail.com>
Reviewed-by: Artem Lifshits
Reviewed-by: Anton Sidelnikov

Author: artem-lifshits

docs/data-sources/cce_cluster_v3.md

@@ -63,6 +63,8 @@ All above argument parameters can be exported as attribute parameters along with
 
 * `authentication_mode` - (Optional) Authentication mode of the cluster, possible values are `rbac` and `authenticating_proxy`.
 
+* `enable_deletion_protection` - Whether deletion protection is enabled for the cluster.
+
 * `subnet_id` - The ID of the subnet used to create the node.
 
 * `highway_subnet_id` - The ID of the high speed network used to create bare metal nodes.

docs/data-sources/cce_clusters_v3.md

@@ -84,6 +84,8 @@ The `clusters` block supports:
 
 * `authentication_mode` - The authentication mode of the cluster, possible values are `x509` and `rbac`. Defaults to `rbac`.
 
+* `enable_deletion_protection` - Whether deletion protection is enabled for the cluster.
+
 * `masters` - The advanced configuration of master nodes. Structure is documented below.
 
 * `security_group_id` - The security group ID of the cluster.

docs/resources/cce_cluster_v3.md

@@ -301,6 +301,8 @@ The following arguments are supported:
 
 * `ignore_certificate_clusters_data` - (Optional, Boolean) Skip sensitive cluster data.
 
+* `enable_deletion_protection` - (Optional, Boolean, ForceNew) Enable cluster deletion protection. Only effective during cluster creation. Changing this parameter will create a new cluster resource.
+
 * `custom_san` - (Optional, List) Specifies the custom san to add to certificate (array of string).
 
 * `component_configurations` - (Optional, List) Specifies the kubernetes component configurations.

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260317095946-062973d490fd
+	github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260323130726-5844a1acfb29
 	github.com/unknwon/com v1.0.1
 	golang.org/x/crypto v0.46.0
 	golang.org/x/sync v0.19.0

go.sum

@@ -167,8 +167,8 @@ github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce h1:RPclfga2SEJmgMmz2k
 github.com/nsf/jsondiff v0.0.0-20200515183724-f29ed568f4ce/go.mod h1:uFMI8w+ref4v2r9jz+c9i1IfIttS/OkmLfrk1jne5hs=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
-github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260317095946-062973d490fd h1:txohhyLhho4bpcV8Sbyl6NX6ZLWYk7lVjVl2/H2e1/I=
-github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260317095946-062973d490fd/go.mod h1:la8cQVYopRoEbNe2L7HlGTdLxUQOwIqHp1VHtjE/5qA=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260323130726-5844a1acfb29 h1:xvC7TWnoZM5o3s6NeZkswFwpLPMksGS6XRlmMqdJmHc=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.6-0.20260323130726-5844a1acfb29/go.mod h1:la8cQVYopRoEbNe2L7HlGTdLxUQOwIqHp1VHtjE/5qA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

opentelekomcloud/acceptance/cce/resource_opentelekomcloud_cce_cluster_v3_test.go

@@ -833,6 +833,58 @@ resource "opentelekomcloud_cce_cluster_v3" "cluster_1" {
 `, common.DataSourceSubnet, clusterName)
 }
 
+// TestAccCCEClusterV3_deletionProtection verifies that a cluster with enable_deletion_protection enabled
+// cannot be deleted. After running this test, the cluster must be deleted manually:
+// disable deletion protection via the console first, then delete the cluster.
+func TestAccCCEClusterV3_deletionProtection(t *testing.T) {
+	t.Skip("this test requires manual cluster cleanup after execution")
+
+	var cluster clusters.Clusters
+	rc := common.InitResourceCheck(
+		resourceClusterName,
+		&cluster,
+		getCceClusterResourceFunc,
+	)
+	clusterName := randClusterName()
+	t.Parallel()
+
+	quotas.BookOne(t, quotas.CCEClusterQuota)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          func() { common.TestAccPreCheck(t) },
+		ProviderFactories: common.TestAccProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCCEClusterV3DeletionProtection(clusterName),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceClusterName, "name", clusterName),
+					resource.TestCheckResourceAttr(resourceClusterName, "status", "Available"),
+					resource.TestCheckResourceAttr(resourceClusterName, "enable_deletion_protection", "true"),
+				),
+			},
+		},
+	})
+}
+
+func testAccCCEClusterV3DeletionProtection(clusterName string) string {
+	return fmt.Sprintf(`
+%s
+
+resource "opentelekomcloud_cce_cluster_v3" "cluster_1" {
+  name                       = "%s"
+  cluster_type               = "VirtualMachine"
+  flavor_id                  = "cce.s1.small"
+  vpc_id                     = data.opentelekomcloud_vpc_subnet_v1.shared_subnet.vpc_id
+  subnet_id                  = data.opentelekomcloud_vpc_subnet_v1.shared_subnet.network_id
+  container_network_type     = "overlay_l2"
+  kubernetes_svc_ip_range    = "10.247.0.0/16"
+  ignore_addons              = true
+  enable_deletion_protection = true
+}
+`, common.DataSourceSubnet, clusterName)
+}
+
 func testAccCCEClusterV3ComponentConfigJSONString(clusterName string) string {
 	return fmt.Sprintf(`
 %s

opentelekomcloud/acceptance/common/quotas/quotas.go

@@ -185,12 +185,6 @@ func (q MultipleQuotas) X(multiplier int64) MultipleQuotas {
 	return newOne
 }
 
-// AcquireMultipleQuotas tries to acquire all given quotas, reverting on failure
-// Deprecated: use BookMany in tests instead
-func AcquireMultipleQuotas(e []*ExpectedQuota, interval time.Duration) error {
-	return acquireMultipleQuotas(e, interval)
-}
-
 func acquireMultipleQuotas(e []*ExpectedQuota, interval time.Duration) error {
 	// validate if all Count values of ExpectQuota are correct
 	var mErr *multierror.Error

opentelekomcloud/acceptance/ecs/utils.go

@@ -38,7 +38,11 @@ func TestAccCheckComputeV2InstanceDestroy(s *terraform.State) error {
 }
 
 func getFlavors() (map[string][]*quotas.ExpectedQuota, error) {
-	config := common.TestAccProvider.Meta().(*cfg.Config)
+	meta := common.TestAccProvider.Meta()
+	if meta == nil {
+		return nil, fmt.Errorf("provider meta is nil — ensure provider environment variables are set")
+	}
+	config := meta.(*cfg.Config)
 	client, err := config.ComputeV2Client(env.OS_REGION_NAME)
 	if err != nil {
 		return nil, fmt.Errorf("error creating OpenTelekomCloud ComputeV2 client: %s", err)
@@ -74,7 +78,8 @@ func init() {
 	if os.Getenv("TF_ACC") != "" { // this can be done only in acceptance
 		qs, err := getFlavors()
 		if err != nil {
-			panic("failed to get server flavors")
+			fmt.Printf("[WARN] failed to get server flavors: %s\n", err)
+			return
 		}
 		flavorsQuota = qs
 	}

opentelekomcloud/services/cce/data_source_opentelekomcloud_cce_cluster_v3.go

@@ -85,6 +85,10 @@ func DataSourceCCEClusterV3() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"enable_deletion_protection": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 			"status": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -197,6 +201,7 @@ func dataSourceCCEClusterV3Read(_ context.Context, d *schema.ResourceData, meta
 		d.Set("eni_subnet_id", cluster.Spec.EniNetwork.SubnetId),
 		d.Set("eni_subnet_cidr", cluster.Spec.EniNetwork.Cidr),
 		d.Set("authentication_mode", cluster.Spec.Authentication.Mode),
+		d.Set("enable_deletion_protection", cluster.Spec.DeletionProtection),
 		d.Set("status", cluster.Status.Phase),
 		d.Set("internal", cluster.Status.Endpoints[0].Internal),
 		d.Set("external", cluster.Status.Endpoints[0].External),

opentelekomcloud/services/cce/data_source_opentelekomcloud_cce_clusters_v3.go

@@ -113,6 +113,10 @@ func DataSourceCCEClustersV3() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						"enable_deletion_protection": {
+							Type:     schema.TypeBool,
+							Computed: true,
+						},
 						"security_group_id": {
 							Type:     schema.TypeString,
 							Computed: true,
@@ -236,24 +240,25 @@ func dataSourceCCEClustersV3Read(_ context.Context, d *schema.ResourceData, meta
 		ids = append(ids, v.Metadata.Id)
 
 		cluster := map[string]interface{}{
-			"name":                   v.Metadata.Name,
-			"id":                     v.Metadata.Id,
-			"status":                 v.Status.Phase,
-			"flavor_id":              v.Spec.Flavor,
-			"cluster_version":        v.Spec.Version,
-			"cluster_type":           v.Spec.Type,
-			"description":            v.Spec.Description,
-			"billing_mode":           v.Spec.BillingMode,
-			"vpc_id":                 v.Spec.HostNetwork.VpcId,
-			"subnet_id":              v.Spec.HostNetwork.SubnetId,
-			"container_network_cidr": v.Spec.ContainerNetwork.Cidr,
-			"container_network_type": v.Spec.ContainerNetwork.Mode,
-			"eni_subnet_id":          v.Spec.EniNetwork.SubnetId,
-			"eni_subnet_cidr":        v.Spec.EniNetwork.Cidr,
-			"authentication_mode":    v.Spec.Authentication.Mode,
-			"security_group_id":      v.Spec.HostNetwork.SecurityGroupId,
-			"enterprise_project_id":  v.Spec.ExtendParam["enterpriseProjectId"],
-			"service_network_cidr":   v.Spec.KubernetesSvcIpRange,
+			"name":                       v.Metadata.Name,
+			"id":                         v.Metadata.Id,
+			"status":                     v.Status.Phase,
+			"flavor_id":                  v.Spec.Flavor,
+			"cluster_version":            v.Spec.Version,
+			"cluster_type":               v.Spec.Type,
+			"description":                v.Spec.Description,
+			"billing_mode":               v.Spec.BillingMode,
+			"vpc_id":                     v.Spec.HostNetwork.VpcId,
+			"subnet_id":                  v.Spec.HostNetwork.SubnetId,
+			"container_network_cidr":     v.Spec.ContainerNetwork.Cidr,
+			"container_network_type":     v.Spec.ContainerNetwork.Mode,
+			"eni_subnet_id":              v.Spec.EniNetwork.SubnetId,
+			"eni_subnet_cidr":            v.Spec.EniNetwork.Cidr,
+			"authentication_mode":        v.Spec.Authentication.Mode,
+			"enable_deletion_protection": v.Spec.DeletionProtection,
+			"security_group_id":          v.Spec.HostNetwork.SecurityGroupId,
+			"enterprise_project_id":      v.Spec.ExtendParam["enterpriseProjectId"],
+			"service_network_cidr":       v.Spec.KubernetesSvcIpRange,
 		}
 
 		var endpoints []map[string]interface{}